ANSSI R226 Interception Compliance Documentation

Document Purpose: This document provides technical specifications required for ANSSI R226 authorization under Articles R226-3 and R226-7 of the French Penal Code for the OmniTAS IMS Application Server.

Classification: Regulatory Compliance Documentation

Target Authority: Agence nationale de la sécurité des systèmes d'information (ANSSI)

Regulation: R226 - Protection of Correspondence Privacy and Lawful Interception

---

1. DETAILED TECHNICAL SPECIFICATIONS

1.1 Commercial Technical Datasheet

Product Name: OmniTAS IMS Application Server Product Type: Telecommunications Application Server (TAS) Primary Function: IMS (IP Multimedia Subsystem) call processing and session management Network Protocols: SIP, Diameter, HTTP/HTTPS, SS7/MAP Deployment Model: On-premises server application

Core Capabilities

Call Processing:

• Session Initiation Protocol (SIP) proxy and B2BUA functionality
• IMS Initial Filter Criteria (iFC) processing
• Session routing and call control
• Emergency call handling (E.164 PSAP routing)
• Call Detail Record (CDR) generation

Network Interfaces:

• Northbound: IMS S-CSCF interface (SIP over TCP/UDP)
• Southbound: SBC/Gateway interface (SIP trunking)
• Diameter: Sh (subscriber data), Ro (online charging)
• SS7: MAP gateway interface for HLR/MSC interworking
• HTTP/HTTPS: External service integration (SMS, TTS, MAP gateway)

Storage and Processing:

• Real-time session state management
• CDR storage and retrieval
• Subscriber registration database (Sofia SIP)
• Configuration database (SQLite)

1.2 Interception Capabilities

1.2.1 Signal Acquisition

SIP Signaling Capture:

• The OmniTAS processes all SIP signaling messages between IMS subscribers and external networks
• Full access to SIP headers including:
  • Calling party identification (From, P-Asserted-Identity)
  • Called party identification (To, Request-URI)
  • Contact URIs and network location
  • Call routing information
  • Session description (SDP) including media codecs and endpoints

Call Metadata Acquisition:

• Complete Call Detail Records (CDR) stored in database with:
  • Timestamp (start, answer, end times)
  • Caller and callee identifiers (MSISDN, IMSI, SIP URI)
  • Call direction (mobile originating/terminating)
  • Call result (answered, busy, failed, etc.)
  • Duration and charging information
  • Network location data (cell tower information when available)

Session Recording Interface (SIPREC):

• SIPREC protocol support for lawful interception
• Capability to replicate SIP signaling to external recording servers
• Configurable session recording policies
• Licensing Control: SIPREC functionality requires explicit licensing authorization
• Access Control: SIPREC configuration restricted to authorized administrators

1.2.2 Media Processing Capabilities

Media Plane:

• B2BUA with RTP media relay capabilities
• RTP streams pass through the server
• Access to media flows for interception purposes
• SDP parsing for media endpoint and codec information

Signaling Plane:

• SIP message parsing and analysis
• Diameter message encoding/decoding (Sh, Ro interfaces)
• HTTP/HTTPS request/response processing

1.2.3 Analysis Capabilities

Real-Time Call Monitoring:

• Web UI dashboard showing active calls with:
  • Call state (trying, ringing, active, terminated)
  • Caller/callee information
  • Call duration
  • Media codec information
  • Network endpoints

Historical Analysis:

• CDR database queryable by:
  • Time range
  • Calling/called party number
  • Call type (voice, emergency, etc.)
  • Call result/disposition
  • Duration thresholds

Subscriber Tracking:

• Active registration monitoring
• Subscriber location tracking via:
  • IMS registration contact URI
  • P-Access-Network-Info header (cell tower identification)
  • IP address and port information
• Historical registration records

Network Analytics:

• Call volume metrics (Prometheus integration)
• Gateway status and connectivity
• Diameter peer connectivity
• System performance metrics

For comprehensive metrics documentation: See metrics.md for detailed monitoring, alerting, and observability configuration.

Location Intelligence:

• Cell tower database integration
• E.164 number to geographic location mapping (North American Numbering Plan)
• Emergency services routing (PSAP mapping)

1.3 Countermeasure Capabilities

1.3.1 Privacy Protection Mechanisms

Communication Confidentiality:

• Diameter TLS transport security
• HTTPS for web interfaces and APIs
• Database encryption at rest (configurable)

Access Control:

• Role-based access control (RBAC) for web UI
• Password hashing with SHA-512 and salt (65,532 iterations)

Audit Logging:

• Complete audit trail of administrative actions
• Configuration change logging
• Authentication event logging
• Tamper-evident log storage

1.3.2 Anti-Interception Features

Secure Communications:

• Mandatory TLS for external interfaces (configurable)
• Certificate-based authentication
• Perfect Forward Secrecy (PFS) cipher suites

Data Protection:

• Automatic CDR retention policies
• Secure data deletion capabilities
• Database access controls
• Network segmentation support (separate management/signaling/media networks)

System Hardening:

• Boot parameter protection
• Integrity verification mechanisms
• Minimal attack surface (only required services enabled)

1.4 Technical Architecture for Lawful Interception

Lawful Interception Integration Points

1. SIPREC Interface (Session Recording Protocol - RFC 7866):

2. CDR Export Interface:

• CDR export to external systems
• Standard formats (CSV, JSON)
• Secure transfer (HTTPS)

3. Direct Database Access:

• Read-only database credentials for authorized systems
• SQL query access to CDR tables
• Subscriber registration data access
• Audit log access

4. API Integration:

• RESTful API for call monitoring
• Real-time active call queries
• Historical CDR retrieval
• Subscriber registration status

Interception Triggering Mechanisms

Target-Based Interception:

• Subscriber identifier matching (MSISDN, IMSI, SIP URI)
• Configurable interception rules in application logic
• SIPREC session forking based on caller/callee identity

Event-Based Interception:

• Emergency call detection and recording
• Specific destination number monitoring
• Geographic area-based triggering (cell tower location)

Time-Based Interception:

• Scheduled recording windows
• Retention period enforcement
• Automatic expiration of interception warrants

---

2. ENCRYPTION AND CRYPTANALYSIS CAPABILITIES

2.1 Cryptographic Capabilities Overview

The OmniTAS IMS Application Server implements cryptographic mechanisms for securing communications and protecting sensitive data. This section documents all cryptographic capabilities in accordance with ANSSI requirements.

2.2 Transport Layer Encryption

2.2.1 TLS/SSL Implementation

Supported Protocols:

• TLS 1.2 (RFC 5246)
• TLS 1.3 (RFC 8446)
• SSL 2.0/3.0: DISABLED (known vulnerabilities)
• TLS 1.0/1.1: DEPRECATED (configurable, disabled by default)

Cipher Suites (Configurable Priority List):

Preferred - TLS 1.3:

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256

Supported - TLS 1.2:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Security Features:

• Perfect Forward Secrecy (PFS) required
• Strong Diffie-Hellman groups (2048-bit minimum)
• Elliptic Curve Cryptography: NIST P-256, P-384, P-521
• Server Name Indication (SNI) support
• OCSP stapling for certificate validation

Certificate Management:

• X.509 certificate support
• RSA key sizes: 2048-bit minimum, 4096-bit recommended
• ECDSA support (P-256, P-384)
• Certificate chain validation
• CRL and OCSP revocation checking
• Self-signed certificates (development only)
• External CA integration

Applications:

• HTTPS for web UI and API access
• Diameter over TLS

2.3 Data Encryption at Rest

2.3.1 Database Encryption

SQLite Encryption:

• SQLCipher integration support
• AES-256 encryption
• Encrypted storage for sensitive data (CDR, subscriber data)

2.3.2 File System Encryption

Sensitive Data Storage:

• CDR files: AES-256 encryption (optional)
• Configuration files: Encrypted storage for credentials
• Private keys: Encrypted keystores (PKCS#12, PEM with passphrase)
• Log files: Encryption support for archived logs

Key Storage:

• File-based keystores with passphrase protection
• Secure key rotation mechanisms

2.4 Authentication and Password Cryptography

2.4.1 Password Hashing

Algorithm: SHA-512 with salt Configuration:

• Randomly generated salt (128-bit minimum)
• 65,532 iteration rounds (configurable)
• Salt stored alongside hash
• Resistant to rainbow table attacks

Storage Format:

$6$rounds=65532$<salt>$<hash>

Applications:

• Web UI user authentication
• API token generation
• Administrator password storage
• Database user credentials

2.4.2 SSH Key Authentication

Supported Key Types:

• RSA: 1024-4096 bits (2048-bit minimum recommended)
• DSA: 1024-4096 bits (deprecated, RSA preferred)
• ECDSA: P-256, P-384, P-521 curves
• Ed25519: 256-bit (preferred for new deployments)

Key Management:

• External key generation support
• Public key import for client authentication
• Server host key management
• Individual key revocation
• Key rotation procedures

SSH Protocol:

• SSH-2 protocol only (SSH-1 disabled)
• Strong MAC algorithms (HMAC-SHA2-256, HMAC-SHA2-512)
• Key exchange: curve25519-sha256, ecdh-sha2-nistp256, diffie-hellman-group14-sha256

2.5 Diameter Protocol Security

2.5.1 Diameter Security Mechanisms

Transport Security:

• TLS over TCP for Diameter peer connections
• Mutual certificate authentication

Application-Level Security:

• Peer authentication via Origin-Host/Origin-Realm validation
• Shared secret configuration (legacy, deprecated)
• AVP (Attribute-Value Pair) encryption for sensitive data
• End-to-end security with CMS (Cryptographic Message Syntax)

2.6 SIP Identity Mechanisms

P-Asserted-Identity:

• Trusted network assertion
• Identity validation and translation
• Privacy header support

Note: Subscriber authentication is performed by the IMS Core (P-CSCF/S-CSCF), not by the TAS.

2.7 Cryptanalysis and Security Assessment Capabilities

2.7.1 Protocol Analysis Tools

Built-in Debugging Capabilities:

• SIP message tracing with full header/body capture
• Diameter message logging (AVP decoding)
• TLS handshake debugging
• Certificate chain validation logging

External Integration:

• Wireshark/tcpdump packet capture support
• SSLKEYLOGFILE export for TLS decryption (development only)
• PCAP export for offline analysis

2.7.2 Vulnerability Assessment Considerations

Known Cryptographic Weaknesses:

• Legacy MD5 support in SIP Digest (maintained for backward compatibility)
• Configurable weak cipher suites (disabled by default)
• Self-signed certificate support (development/testing only)

Security Testing:

• Regular security audits recommended
• Penetration testing support
• Cipher suite strength validation
• Certificate expiration monitoring

2.8 Key Management Infrastructure

2.8.1 Key Generation

Internal Key Generation:

• RSA key generation: OpenSSL library (FIPS 140-2 compliant algorithms)
• Random number generation: /dev/urandom (Linux kernel CSPRNG)
• Entropy sources: Hardware RNG, system entropy pool

2.8.2 Key Storage and Protection

Private Key Storage:

• File system with restricted permissions (0600)
• Encrypted PEM format with passphrase
• Secure deletion on key rotation

Key Backup:

• Encrypted backup procedures
• Split-key recovery mechanisms
• Secure key escrow (if required by regulation)

2.8.3 Key Distribution

Certificate Distribution:

• Manual import via web UI
• Automated provisioning via API
• ACME protocol support (Let's Encrypt, future enhancement)

Symmetric Key Distribution:

• Out-of-band key exchange for Diameter peers
• Diffie-Hellman key agreement in TLS
• No cleartext key transmission

2.9 Compliance and Standards

Cryptographic Standards Compliance:

• NIST SP 800-52: TLS guidelines
• NIST SP 800-131A: Cryptographic algorithm transitions
• RFC 7525: TLS recommendations
• ETSI TS 133 310: IMS network security
• 3GPP TS 33.203: IMS access security

French Cryptography Regulations:

• Cryptographic means declaration (if applicable)
• ANSSI cryptographic product certification (if required)
• No export-restricted cryptography (all standard algorithms)

2.10 Cryptanalysis Resistance

2.10.1 Design Principles

Defense Against Cryptanalysis:

• No custom/proprietary cryptographic algorithms
• Industry-standard, peer-reviewed algorithms only
• Regular security updates for cryptographic libraries
• Deprecation of weak algorithms

2.10.2 Operational Security

Key Rotation:

• TLS certificate renewal (annually recommended)
• Session key rotation (per-session for TLS)
• Password expiration policies (configurable)

Monitoring and Detection:

• Failed authentication attempt logging
• Certificate expiration alerts
• Cipher suite negotiation logging
• Anomaly detection for encryption failures

---

3. INTERCEPTION CONTROL AND AUTHORIZATION

3.1 Access Control for Lawful Interception

Administrative Authorization:

• Lawful interception features require administrator-level privileges
• SIPREC configuration access: Super-admin role only
• CDR access: Configurable role-based permissions
• Audit logging of all interception-related actions

Legal Framework Integration:

• Interception warrant tracking (external system integration)
• Target identifier authorization lists
• Time-limited interception activation
• Automatic deactivation on warrant expiration

3.2 Data Retention and Privacy

Retention Policies:

• CDR retention: Configurable (default 90 days, regulatory requirement 1 year)
• Registration logs: Configurable retention
• Audit logs: Minimum 1 year retention
• Automatic purging of expired data

Privacy Protections:

• Minimal data collection principle
• Purpose limitation (telecommunications service provision)
• Access logging and monitoring

3.3 Handover Interfaces for Law Enforcement

Standard Lawful Interception Interfaces:

• ETSI LI (Lawful Interception) interface support (via external mediation device)
• SIPREC to LI gateway integration
• X1, X2, X3 interface support (external system)

Delivery Formats:

• IRI (Intercept Related Information): CDR metadata
• CC (Content of Communication): SIP signaling + media (via MRF)
• Structured reporting: XML, JSON formats

---

4. SYSTEM SECURITY AND INTEGRITY

4.1 Boot Security

Secure Boot Mechanisms:

• Bootparameter protection (ANSSI R226 requirement)
• Configuration integrity verification
• Tamper detection on startup
• Secure configuration loading

4.2 Network Security

Network Security:

• Minimal exposed ports (SIP, Diameter, HTTPS only)
• Port-based access control
• IP whitelisting/blacklisting

4.3 Intrusion Detection

Monitoring Capabilities:

• Failed authentication monitoring
• Unusual call pattern detection
• Anomalous Diameter traffic detection
• Security event alerting (SIEM integration)

---

5. DOCUMENTATION REFERENCES

5.1 Technical Manuals

Available documentation in the project repository:

• README.md: System overview, architecture, and operational features
• doc/deployment_guide.md: Deployment instructions (if available)
• doc/configuration.md: Configuration reference (if available)

5.2 Security Certifications

• Penetration Test Reports: [To be provided upon request]
• Security Audit Reports: [To be provided upon request]
• Cryptographic Module Validation: OpenSSL FIPS 140-2 compliance

5.3 Compliance Documentation

• ANSSI R226 Authorization Request: This document
• Lawful Interception Compliance: As required by French telecommunications regulations

---

6. CONTACT INFORMATION

Vendor/Operator Information:

• Company Name: Omnitouch Network Services Pty Ltd
• Address: PO BOX 296, QUINNS ROCKS WA 6030, AUSTRALIA
• Contact Person: Compliance Team
• Email: compliance@omnitouch.com.au

Technical Security Contact:

• Name: Compliance Team
• Email: compliance@omnitouch.com.au

Legal/Compliance Contact:

• Name: Compliance Team
• Email: compliance@omnitouch.com.au

---

APPENDICES

Appendix A: SIP Message Flow Examples

A.1 Mobile Originating Call Flow with Interception Points

Legend: [INTERCEPTION] = Points where lawful interception data is captured

A.2 Emergency Call with Location Tracking

A.3 SIPREC Recording Session Establishment

Appendix B: CDR Schema

The OmniTAS system stores Call Detail Records in a SQLite database (FreeSWITCH CDR format) located at /etc/freeswitch/db/cdr.db.

B.1 Key CDR Fields for Lawful Interception

Field Name	Type	Description	Interception Relevance
uuid	TEXT	Unique call identifier	Session correlation
caller_id_number	TEXT	Calling party number (MSISDN)	Primary identifier for target tracking
caller_id_name	TEXT	Calling party display name	Identity verification
destination_number	TEXT	Called party number	Target destination tracking
start_stamp	DATETIME	Call start timestamp	Event timeline
answer_stamp	DATETIME	Call answer timestamp	Call establishment time
end_stamp	DATETIME	Call end timestamp	Session duration calculation
duration	INTEGER	Total call duration (seconds)	Session length
billsec	INTEGER	Billable seconds (answered time)	Actual conversation duration
hangup_cause	TEXT	Call termination reason	Call outcome analysis
sip_hangup_disposition	TEXT	SIP termination details	Protocol-level termination
network_addr	TEXT	Network IP address	Source location tracking
sip_from_user	TEXT	SIP From header user part	Original SIP identity
sip_to_user	TEXT	SIP To header user part	SIP destination
sip_call_id	TEXT	SIP Call-ID header	SIP session correlation

B.2 CDR Query Examples for Lawful Interception

Query calls by target number:

SELECT * FROM cdr
WHERE caller_id_number = '+33612345678'
   OR destination_number = '+33612345678'
ORDER BY start_stamp DESC;

Query calls within time window:

SELECT * FROM cdr
WHERE start_stamp BETWEEN '2025-11-01 00:00:00' AND '2025-11-30 23:59:59'
  AND (caller_id_number = '+33612345678' OR destination_number = '+33612345678')
ORDER BY start_stamp DESC;

Export to CSV for law enforcement:

.mode csv
.output /tmp/interception_report.csv
SELECT caller_id_number, destination_number, start_stamp, end_stamp, duration, hangup_cause
FROM cdr
WHERE caller_id_number = '+33612345678'
ORDER BY start_stamp DESC;
.output stdout

B.3 CDR API Access

The TAS provides programmatic access via the Tas.Cdr module:

# Get all calls for a specific number
Tas.Cdr.get_records_by(:caller_id_number, "+33612345678")

# Get calls in date range
Tas.Cdr.get_records_by_date_range("2025-11-01 00:00:00", "2025-11-30 23:59:59")

# Search with advanced filtering
Tas.Cdr.get_filtered_records(search: "33612345678", limit: 1000)

# Get statistics
Tas.Cdr.get_statistics()

B.4 CDR Retention

• Default retention: Configurable (typically 90 days to 1 year)
• Automatic purging: Supported
• Manual export: Via Web UI at /cdr or API
• Format: SQLite database, exportable to CSV/JSON

Appendix C: SIPREC Configuration Examples

SIPREC (Session Initiation Protocol Recording) enables the OmniTAS to send both call signaling and media to external Session Recording Servers for lawful interception.

C.1 SIPREC Architecture

C.2 Triggering SIPREC Recording

Recording can be triggered based on:

Target-based:

• Caller phone number (caller_id_number)
• Called phone number (destination_number)
• SIP URI matching

Event-based:

• All emergency calls (911, 112, etc.)
• Calls to/from specific destinations
• Time-window based recording

Geographic:

• Cell tower location (via P-Access-Network-Info header)
• IP address ranges

C.3 SIPREC Session Content

The SIPREC session sends to the SRS:

Signaling Metadata:

• Complete SIP headers (From, To, P-Asserted-Identity)
• Call-ID and session identifiers
• Timestamps (start, answer, end)
• Caller/callee information

Media Streams:

• Participant 1 RTP stream (caller audio)
• Participant 2 RTP stream (callee audio)
• Codec information
• DTMF tones

C.4 Integration with Law Enforcement

The Session Recording Server provides:

• X1 Interface: Administrative function (warrant management)
• X2 Interface: Intercept Related Information (IRI) - call metadata
• X3 Interface: Content of Communication (CC) - actual media

The OmniTAS serves as the Session Recording Client (SRC) and delivers both IRI and CC to the SRS for handover to law enforcement via standardized interfaces.

Appendix D: Encryption Configuration Guide

D.1 Certificate Generation

Generate TLS Certificate:

# Generate private key
openssl genrsa -out server.key 4096

# Generate certificate signing request
openssl req -new -key server.key -out server.csr

# Self-signed certificate (for testing)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# Production: Obtain certificate from trusted CA

Note: SIP signaling to/from IMS does not use TLS. SIP communication is unencrypted TCP/UDP.

D.2 HTTPS Configuration for Web UI

API/Web Server TLS (config/runtime.exs):

config :api_ex,
  api: %{
    enable_tls: true,
    tls_cert_path: "priv/cert/server.crt",
    tls_key_path: "priv/cert/server.key",
    tls_versions: [:"tlsv1.2", :"tlsv1.3"],
    ciphers: [
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-RSA-AES128-GCM-SHA256",
      "TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256"
    ]
  }

D.3 SIP Configuration

SIP interfaces use unencrypted TCP/UDP transport. No TLS configuration required.

FreeSWITCH SIP Profile:

<!-- SIP profile uses TCP/UDP only -->
<profile name="external">
  <settings>
    <param name="sip-port" value="5060"/>
    <param name="context" value="public"/>
  </settings>
</profile>

D.4 Diameter TLS Configuration

Diameter Peer TLS:

# Enable TLS for Diameter connections
config :diameter_ex,
  peers: [
    %{
      host: "dra.example.com",
      port: 3868,
      transport: :tls,
      tls_opts: [
        certfile: "priv/cert/diameter.crt",
        keyfile: "priv/cert/diameter.key",
        cacertfile: "priv/cert/ca.crt",
        verify: :verify_peer
      ]
    }
  ]

D.5 Database Encryption

SQLite Encryption with SQLCipher:

# config/runtime.exs
config :exqlite,
  encryption: true,
  encryption_key: System.get_env("DB_ENCRYPTION_KEY")

Note: Database encryption is optional. For lawful interception purposes, physical access controls and database access logging may be sufficient.

D.6 Password Security Configuration

Password hashing is automatically configured with SHA-512 and salt:

# Default password hashing configuration
config :pbkdf2_elixir,
  rounds: 65_532,
  salt_len: 16

No additional configuration required - secure by default.

Appendix E: Glossary

Regulatory and Standards Bodies

• ANSSI: Agence nationale de la sécurité des systèmes d'information - French National Cybersecurity Agency
• ETSI: European Telecommunications Standards Institute
• 3GPP: 3rd Generation Partnership Project - Mobile telecommunications standards organization
• IETF: Internet Engineering Task Force - Internet standards body

IMS Network Components

• IMS: IP Multimedia Subsystem - All-IP network architecture for multimedia services
• CSCF: Call Session Control Function - SIP server in IMS core
  • P-CSCF: Proxy-CSCF - First contact point for UE, SIP proxy
  • I-CSCF: Interrogating-CSCF - Entry point to operator's network
  • S-CSCF: Serving-CSCF - Session control and service triggering
• HSS: Home Subscriber Server - Subscriber database
• TAS: Telephony/Telecommunications Application Server - Service logic execution

Protocols and Signaling

• SIP: Session Initiation Protocol (RFC 3261) - Signaling protocol for voice/video calls
• SDP: Session Description Protocol (RFC 4566) - Media session parameters
• RTP: Real-time Transport Protocol (RFC 3550) - Media stream transport
• RTCP: RTP Control Protocol - Quality monitoring for RTP
• SRTP: Secure RTP (RFC 3711) - Encrypted media streams
• Diameter: AAA protocol used in IMS (authentication, authorization, accounting)
  • Sh: Diameter interface for subscriber data access
  • Ro: Diameter interface for online charging
• SIPREC: Session Initiation Protocol Recording (RFC 7866) - Call recording protocol

Telecommunications Equipment

• SBC: Session Border Controller - Network edge security and media gateway
• MRF: Media Resource Function - Media processing (transcoding, mixing, recording)
• UE: User Equipment - Mobile handset or device
• PSAP: Public Safety Answering Point - Emergency services call center
• DRA: Diameter Routing Agent - Diameter message routing

Lawful Interception

• LI: Lawful Interception - Legal monitoring of telecommunications
• IRI: Intercept Related Information - Call metadata for law enforcement
• CC: Content of Communication - Actual voice/media content
• SRC: Session Recording Client - SIPREC client (OmniTAS role)
• SRS: Session Recording Server - SIPREC server for recording storage
• X1 Interface: LI administrative interface (warrant provisioning)
• X2 Interface: LI interface for IRI delivery
• X3 Interface: LI interface for CC delivery
• R226: Articles R226-3 and R226-7 of French Penal Code governing interception equipment

Call Processing

• CDR: Call Detail Record - Billing and logging record for each call
• B2BUA: Back-to-Back User Agent - SIP element that acts as both client and server
• DTMF: Dual-Tone Multi-Frequency - Touch-tone signals
• MSISDN: Mobile Station International Subscriber Directory Number - Phone number
• IMSI: International Mobile Subscriber Identity - Unique subscriber identifier
• E.164: International numbering plan for telephone numbers

Security and Encryption

• TLS: Transport Layer Security (RFC 5246, RFC 8446) - Encryption protocol
• PFS: Perfect Forward Secrecy - Cryptographic property ensuring session key security
• SHA-512: Secure Hash Algorithm with 512-bit output
• AES: Advanced Encryption Standard
• RSA: Rivest-Shamir-Adleman - Public key cryptography algorithm
• ECDSA: Elliptic Curve Digital Signature Algorithm
• PKI: Public Key Infrastructure - Certificate management system
• CA: Certificate Authority - Issues digital certificates
• CRL: Certificate Revocation List
• OCSP: Online Certificate Status Protocol

Network and Location

• MAP: Mobile Application Part - SS7 protocol for mobile networks
• HLR: Home Location Register - Subscriber location database (legacy)
• SS7: Signaling System No. 7 - Legacy telephony signaling
• NANP: North American Numbering Plan
• Cell Tower/Cell ID: Mobile network base station identifier for location tracking

Data Formats and Storage

• SQLite: Embedded relational database
• SQLCipher: SQLite extension with encryption support
• CSV: Comma-Separated Values - Export format
• JSON: JavaScript Object Notation - Data interchange format
• XML: eXtensible Markup Language - Structured data format

Application Components

• API: Application Programming Interface - Programmatic access
• UI: User Interface - Web-based control panel
• RBAC: Role-Based Access Control - Permission system
• UUID: Universally Unique Identifier - Session tracking

---

Document Version: 1.0 Date: 2025-11-29 Prepared for: ANSSI R226 Authorization Application Document Classification: Regulatory Compliance - Confidential